BlackShield ID MP Token Guide - SafeNet

TrademarksCRYPTOCard and the CRYPTOCard logo are registered trademarks of CRYPTOCard Corp. in the Canada and/or othercountries. All other goods and/or services mentioned are trademarks of their respective companies.License agreementThis software and the associated documentation are proprietary and confidential to CRYPTOCard, are furnishedunder license, and may be used and copied only in accordance with the terms of such license and with theinclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not beprovided or otherwise made available to any other person.No title to or ownership of the software or documentation or any intellectual property rights thereto is herebytransferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civiland/or criminal liability.This software is subject to change without notice and should not be construed as a commitment by CRYPTOCard.Third-party licensesThis product may include software developed by parties other than CRYPTOCard. The text of the licenseagreements applicable to third-party software in this product may be viewed in the \\CRYPTOCard\BlackShieldID\Open Source Licenses folder of a default BlackShield ID installation.Note on encryption technologiesThis product may contain encryption technology. Many countries prohibit or restrict the use, import, or export ofencryption technologies, and current use, import, and export regulations should be followed when using,importing or exporting this product.Contact InformationCRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCardin your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard cansuggest deployment procedures that provide a smooth, simple transition from existing access control systems anda satisfying experience for network users. We can also help you leverage your existing network equipment andsystems to maximize your return on investment.CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchasedthis product through a CRYPTOCard channel partner, please contact your partner directly for support needs.To contact CRYPTOCard directly:International Voice: +1-613-599-2441North America Toll Free: 1-800-307-7042Email: support@cryptocard.comBlackShield ID MP Token Guidei

For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com.Go to the CRYPTOCard corporate web site for regional Customer Support telephone and fax numbers:http://www.cryptocard.comPublication HistoryDateJanuary 10, 2010September 23, 2010ChangesInitial releaseMinor updatedBlackShield ID MP Token Guideii

Table of ContentsOverview........................................................................................................................................................................1Operating Modes & Options..........................................................................................................................................2Using the MP Token on Windows XP/2003/2008/Vista/7 ............................................................................................5Installing the BlackShield ID Software Tools ............................................................................................................5Loading an MP token file .........................................................................................................................................5Generating a Token Code (QuickLogTM mode).......................................................................................................6Generating a Token Code (Challenge-response mode) ...........................................................................................7User-changeable PIN................................................................................................................................................7Token Code Resynchronization................................................................................................................................8Unlock Token (Remote Unlock) ...............................................................................................................................9Using the MP Token on a BlackBerry Mobile Device...................................................................................................10Using the MP Token on a Java Phone..........................................................................................................................10Using the MP Token on an iPhone...............................................................................................................................10BlackShield ID MP Token Guideiii

OverviewThe MP token is a software implementation of the hardware token that can be installed on a range of devicesincluding hard drives, mobile devices such as BlackBerry®, Java phones, iPhone® and secure flash drives such asIronKey® or SafeStick®, turning a device already in the hands of a user into a token.The advantage of software tokens is mass deployment without hardware distribution. By thoughtful selection ofthe type of device upon which a software token can be installed, Security Administrators can lock a user to aspecific machine, limit the user to using only secure platforms or provide complete machine independence. WithBlackShield ID, MP tokens can be issued, revoked and reissued without restriction or the need to recover the tokenfrom the user. With the exception of BlackBerry and Java phones, multiple MP software tokens can be installed ona single device (e.g. hard drive) provided the usernames are unique.Window XP/2003/2008/Vista/7 BlackBerry® Java PhonesIronKey®SafeStick®iPhone®The MP token generates a new, pseudo-random token code each time the token is activated. An MP PIN consistsof a string of 3 to 8 alphanumeric characters that is used to guard against unauthorized use. If PIN protection isenabled, the user must provide a PIN with the one-time token code to authenticate. Multiple tokens, eachprotected by their own unique PIN, may reside on a single BlackShield Software Tools installation.BlackShield ID MP Token Guide 1

Operating Modes & OptionsThe MP token supports a wide range of operating modes that can be modified from the Token Templates sectionwithin the Policy Admin Tab of the BlackShield ID Manager.The MP Token template settings will be used upon creation of MP tokens; they are not applied when issued.Mode:Tokens can operate in either Challenge-Response or Quick Log mode. Default value: Quick Log.Quick Log mode is recommended because it greatly simplifies the User logon experience and strengthens securityby eliminating the requirement to have the user key a challenge into a token to get an OTP. In addition, Quick Logmode is supported by all systems that require a logon password.Complexity:The OTPs generated by the token can be comprised of numbers, letters and additional characters as follows:• Decimal: token generates passcodes comprised of digits from 0-9.BlackShield ID MP Token Guide 2

• Hexadecimal: token generates passcodes comprised of digits and letters from 0–9 and A-F.• Base32: token generates passcodes comprised of digits and letters from 0-9 and A-Z. (Default value).• Base64: token generates passcodes comprised of digits and letters from 0-9 and Aa-Zz, as well as otherprintable characters available via Shift + 0-9.Length:This option determines the number of characters displayed as the OTP. Options are 5, 6, 7 or 8 characters. Defaultvalue: 8.Display Mask:If set to ‘Telephone Mode’, the 4th character of the OPT will always be a dash (“-“). Typically this is used with adecimal OTP, length of 8. Example OTP: 123-5678. If set to ‘None’, the 4th character is unmodified. Example OTP:12345678. Telephone mode can be used with any token complexity and length setting. Default value: TelephoneMode.Note: the dash is not entered as part of the OTP on login attempts, therefore it is not required for authentication.Remote Unlock:Allows a locked MP token to be unlocked using the unlock code provided for the token within the Secured Userstab. This avoids the need to redeploy the MP token to the user.PIN Type:This setting determines the type of PIN to be used with the token.• No PIN means the user doesn’t need to enter a PIN into the Token application to generate a TokenCode.• Fixed PIN means that the PIN generated for the token during initialization is permanent and cannot bechanged without reissuing the token. This PIN must always be keyed into the token before a password isgenerated• User selected PIN means that the user must change the PIN generated for the token during initializationbefore a password will be generated. Thereafter the user can change the PIN at any time. Note that thePIN change must conform to the minimum requirements for PIN Length, Complexity and Maximum PINAttempts.• Server-side Fixed means that the PIN generated for the token at initialization is permanent and cannot bechanged without reinitializing the token. An initial PIN number is used to install the token into theBlackShield Software tools but token codes are generated without the need of a PIN. This PIN type isevaluated at BlackShield ID during authentication.BlackShield ID MP Token Guide 3

• Server-side User Select means that the PIN generated for the token can be changed by the User. An initialPIN number is used to install the token into the BlackShield Software tools but token codes are generatedwithout the need of a PIN. The new PIN must conform to the minimum requirements set in the ServersidePIN Policy Group on the Policy Admin Tab.• Server-side Server Select means that the PIN generated for the token can be changed however the newPIN will be generated by BlackShield ID and will conform to the minimum requirements set in the ServersidePIN Policy Group on the Policy Admin Tab.Note: Server-side PINs require the user to prepend the PIN to the token generated password during login, allowingthe PIN to be evaluated by BlackShield. For example, if the user PIN is ABCD and the password is 12345678, theuser would enter ABCD12345678 at the password prompt. All other PIN types require the user to key the correctPIN into the token before a password is generated. In this case the user provides only the password at thepassword prompt. For example, if the user PIN is 8432 and the password is 12345678, the user will enter 12345678at the password prompt. Generally Server-side PINs are used with KT tokensInitial PIN:Determines the nature of the initial PIN created for a token during initialization. If ‘Random’, BlackShield ID willgenerate a random PIN that conforms to the minimum PIN Policy options set in the dropdowns for this group foreach token during initialization. If ‘Fixed’, all tokens will be initialized with the same PIN. Default value: RandomMin. PIN Length:Determines the minimum PIN length that can be used with the token.• This option is disabled if PIN Type is set to ‘No PIN’. The user will not be required to use a PIN at any time.• This option is disabled if PIN Type is set to Server-side Fixed, Server-side User Select or Server-side ServerSelect. The user will be required to use a PIN according to the options set in the Server-side PIN PolicyGroup.• This option is enabled if PIN Type is set to Fixed PIN or User selected PIN. This requires that any PIN set forthe token meet the indicated minimum number of digits. The range is 1 to 8 digits.Allow Trivial PINs:If enabled, a PIN may be 3 or more consecutive numbers (i.e. 1234) or 3 or more identical digits (i.e. 2222). Defaultvalue: selected.BlackShield ID MP Token Guide 4

Max. PIN Attempts:Determines the maximum number of consecutive failed PIN attempts permitted by the token. If this number isexceeded, the token will enter the ‘Locked’ state and cannot be used for authentication until it is reinitialized orunlocked via the unlock code provided in the BlackShield. This option is available only if PIN Type is set to Fixed PINor User selected PIN.Click the ‘Apply’ button to apply changes to the template. Changes to the template will be applied to MP tokensduring creation. Previously initialized MP tokens will be unaffected by changes to a template.Using the MP Token on Windows XP/2003/2008/Vista/7Installing the BlackShield ID Software ToolsLocate and run the agent installer:• BlackShield ID Software Tools.exe for 32-bit systems.• BlackShield ID Software Tools x64.exe for 64-bit systems.The following will be requested:• Prompt to accept the license agreement.• Selection of the installation location.• Prompt to accept device driver installation.Loading an MP token fileMP tokens can be activated in the BlackShield Token Authenticator via Self-Enrollment or by loading an MP tokenfile. For information on Self-Enrollment or manually issuing MP tokens, refer to the BlackShield ServerAdministrator's Manual found in the support section of www.cryptocard.com or within your BlackShielddistribution package.BlackShield ID MP Token Guide 5

Generating a Token Code (QuickLogTM mode)The MP automates authentication when used in conjunction with CRYPTOCard agents or compatible third-partyplug-ins in a Windows environment. The user simply enters his PIN and clicks OK when prompted and the MPcompletes the authentication.If the token template was configured to use a Fixed or User Select PIN, access to the BlackShield Software Toolsapplication requires the user to enter a 3 to 8 character PIN. The PIN is generally unique for each token and knownonly to the owner of the token.If the token template was configured to use a Server Side PIN, the BlackShield Software Tools application willgenerate the token code without a need to provide a PIN. Server-side PINs require the user to prepend the PIN tothe token generated password during login, allowing the PIN to be evaluated by BlackShieldIn instances where a user is attempting to connect to a network device or web resource for which a CRYPTOCardagent or third-party plug-in does not exist, there is no automated means by which the BlackShield Software Toolsapplication can furnish the one-time password to the entity/asset for authentication. Therefore, MP tokens enablethe user to generate a one-time Token Code that can then be entered manually when the user is prompted for apassword by the application/entity interface.1. Launch the Token Authenticator from Start|All Programs|CRYPTOCard | Token.2. Select the token from the Token field (if more than one software token is installed) and click Generate TokenCode.3. Enter the PIN (if required).BlackShield ID MP Token Guide 6

4. Cut and paste, or transcribe, the one-time Token Code into the logon/password dialog of theapplication/entity interface you are authenticating against.Generating a Token Code (Challenge-response mode)QuickLog TM is the recommended mode for all CRYPTOCard tokens. Challenge-response mode should only be usedif required.1. Launch the Token Authenticator from Start|All Programs|CRYPTOCard |Token.2. When you attempt to log in to the application or entity interface, you will receive an 8-digit challenge.3. Click Generate Token Code on the Token Authenticator dialog window.4. Enter the PIN and 8-digit challenge. A Token Code will be displayed.5. Cut and paste, or transcribe, the response into the application or entity interface logon dialog.User-changeable PINIf the MP token is configured with a PIN Style of User-changeable PIN, the user will be forced to change the initialdeployment PIN on first use. Thereafter, the user can change the PIN at any time, within the established securitypolicy parameters.1. Launch the Token Authenticator from Start|All Programs|CRYPTOCard |Token.2. Select Tools|Change PIN from the toolbar.BlackShield ID MP Token Guide 7

3. Enter the Current PIN, New PIN, and Verify new PIN. Click OK.Token Code ResynchronizationToken resynchronization may be required if the user has generated a large number of token codes without loggingon (authenticating). Token resynchronization requires the user to enter a “challenge” into the token. The challengemust be provided by the Help Desk or via a Web-based resynchronization page. In the unlikely event that the tokenrequires resynchronization with the authentication server:1. Launch the Token Authenticator from Start|All Programs|CRYPTOCard |Token.2. Select Tools|Resync from the toolbar.BlackShield ID MP Token Guide 8

3. Enter your PIN and the resynchronization Challenge.4. Cut and paste, or transcribe, the one-time Token Code into the logon/password dialog of theapplication/entity interface you are authenticating against.Unlock Token (Remote Unlock)If the Max PIN Attempts threshold is exceeded, an MP token will enter a ‘Locked’ state and cannot be used forauthentication. The Unlock Token option allows for a token to be enabled without having to redeploy the tokenfile to the user.1. Launch the Token Authenticator from Start|All Programs|CRYPTOCard |Token.2. Select Tools|Unlock Token from the toolbar.3. Provide the Unlock Challenge to the CRYPTOCard Administrator then enter the Server Response provided toyou.4. Enter the New PIN, and Verify new PIN. Click OK.5. A Token Unlocked message will appear. The MP token may now be used to generated Token Codes.BlackShield ID MP Token Guide 9

Using the MP Token on a BlackBerry Mobile DeviceThe BlackBerry is a wireless handheld device, which supports e-mail, mobile telephone, text messaging, webbrowsing and other wireless information services. There are various methods to deploying a CRYPTOCard MPtoken to BlackBerry devices. Please refer to the BlackBerry Token Guide found in the support section ofwww.cryptocard.com for more information.Using the MP Token on a Java PhoneSecurity Administrators can transform Java ME mobile phones into tokens that will generate PIN protected onetimepasswords valid for strong authentication at VPNs, Web applications, Citrix and any other BlackShield IDprotected on-line resources. Please refer to the Java Phone Token Guide found in the support section ofwww.cryptocard.com for more information.Using the MP Token on an iPhoneMP tokens can be used on the iPhone or iPad. Please refer to the iPhone Token Guide found in the supportsection of www.cryptocard.com for more information.BlackShield ID MP Token Guide 10